On 2 Sep 2014 00:08, "Antoine Pitrou" <solipsis at pitrou.net> wrote: > > On Mon, 1 Sep 2014 23:42:10 +1000 > Chris Angelico <rosuav at gmail.com> wrote: > > >> > > >> That has to be done inside the same process. But imagine this > > >> scenario: You have a program that gets invoked as root (or some other > > >> user than yourself), and you're trying to fiddle with what it sees. > > >> You don't have root access, but you can manipulate the file system, to > > >> the extent that your userid has access. What can you do to affect this > > >> other program? > > > > > > If you're root you shouldn't run untrusted code. See > > > https://docs.python.org/3/using/cmdline.html#cmdoption-I > > > > Right, which is why sslcustomize has to be controlled by that, but the > > possibility of patching (or monkeypatching) ssl.py isn't as big a > > deal. > > To be frank I don't understand what you're arguing about. When I said "shadowing ssl can be tricky to arrange", Chris correctly interpreted it as referring to the filesystem based privilege escalation scenario that isolated mode handles, not to normal in-process monkeypatching or module injection. I don't consider the latter cases to be interesting attack scenarios, as they imply the attacker is *already* running arbitrary Python code inside your CPython process, so you've already lost. Cheers, Nick. > > > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140902/eb148ebe/attachment-0001.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4